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DETAILED ACTION 


This seeond non-final action is in response to the amendment filed 09/09/2008. Claims 
1-3, 5-7, & 9-18 are pending and have been considered as follows. 

Specification 

1 . The specification is objected to as failing to provide proper antecedent basis for the 

claimed subject matter. See 37 CFR 1.75(d)(1) and MPEP § 608.01(o). Correction of the 
following is required: 

- Claim 1 : 

o Line 26 recites “independent of the authentication server” however, this limitation 
lacks antecedent basis in view of the applicant's Specification; 

- Claim 5 : 

o Lines 6 & 8 recite “independent of the authentication server” however, this 
limitation lacks antecedent basis in view of the applicant's Specification; 

- Claim 6: 

o Line 24 recites “independent of the authentication server” however, this limitation 
lacks antecedent basis in view of the applicant's Specification; 

- Claim 7: 

o Lines 16-18 recite “independent of the authentication server” however, this 
limitation lacks antecedent basis in view of the applicant's Specification; 
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- Claim 10: 

o Lines 6 & 7 recite “independent of the authentication server” however, this 
limitation lacks antecedent basis in view of the applicant's Specification; 

- Claim 13: 

o Lines 28 & 35 recite “independent of the authentication server” however, this 
limitation lacks antecedent basis in view of the applicant's Specification; 

- Claim 15: 

o Lines 4-6 recite “independent of the authentication server” however, this 
limitation lacks antecedent basis in view of the applicant's Specification; 

- Claim 17: 

o Lines 4-6 recite “independent of the authentication server” however, this 
limitation lacks antecedent basis in view of the applicant's Specification; 

- Claim 18: 

o Lines 2, 5, 1 1, & 21 recite “independent of the authentication server” however, 
this limitation lacks antecedent basis in view of the applicant's Specification; 
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Claim Objections 

2. Claims 1, 3, 5-7, 9, 12, & 18 are objected to because of the following informalities: 

- Claim 1 : 

o Lines 6, 10, 15, 19, 22, 24, 29, & 32 recite the term “for” which should be 
. .eonfigured to. . as the current claim language appears to be intended use 
language; 

o Line 13 reeites the term “when” which should be “...once...” to clarify exactly 
“when” the limitation which precedes it occurs; 

- Claim 3 : 

o Line 1 recites “for being” which should be omitted as the current elaim language 
appears to be intended use language; 

o Lines 4, 8, & 1 1 recite the term “for” which should be “. . .configured to. . .” as the 
current claim language appears to be intended use language; 

o Line 9 recites the term “when” which should be “...once...” to elarify exactly 
“when” the limitation which precedes it occurs; 

- Claim 5 : 

o Lines 3 & 10 recite the term “for” which should be “. . .configured to. . .” as the 
current claim language appears to be intended use language; 
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- Claim 6: 

o Lines 6, 10, 14, 20, & 23 recite the term “for” which should be . .configured 
to. . as the current claim language appears to be intended use language; 
o Line 1 1 recites the term “when” which should be “...once...” to clarify exactly 
“when” the limitation which precedes it occurs; 

- Claim?: 

o Lines 4, 8, & 12 recite the term “for” which should be “. . .configured to. . .” as the 
eurrent elaim language appears to be intended use language; 
o Line 5 reeites the term “for” which should be omitted as the current claim 
language appears to be intended use language; 
o Line 9 recites the term “when” which should be “...once...” to clarify exactly 
“when” the limitation which precedes it occurs; 

- Claim 9: 

o Lines 3, 6, 10, & 14 recite the term “for” which should be “. . .eonfigured to. . .” as 
the current claim language appears to be intended use language; 
o Line 21 recites the term “when” which should be “...if...” to clarify exactly 
“when” the limitation which precedes it occurs; 
o Lines 3-5 and lines 19-22 appear to be very similar, where lines 19-22 appear to 
include additional details not found in lines 3-5, the examiner suggests 
consolidation of these two sets of limitations in order to avoid unnecessary 
redundancy and improve claim clarity; 
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- Claim 12: 

o Line 7 reeites “associating” which in keeping with the nature of the other 
amendments, appears to have been meant to be written as . .storing. . 
o Lines 13 & 16 recite the term “when” which should be “...once...” to clarify 
exactly “when” the limitation which precedes it occurs; 

- Claim 18: 

o Line 1 recites “computer readable medium” which should be “. . .computer 
readable storage medium. . 

o Line 27 recites the term “when” which should be “...if...” to clarify exactly 

“when” the limitation which precedes it occurs; 

See MPEP 2106 with respect to intended use or other similar language as necessary: 

The subject matter of a properly construed claim is defined by the terms 
that limit its scope. It is this subject matter that must be examined. As a general 
matter, the grammar and intended meaning of terms used in a claim will dictate 
whether the language limits the claim scope. Language that suggests or makes 
optional but does not require steps to be performed or does not limit a claim to a 
particular structure does not limit the scope of a claim or claim limitation. The 
following are examples of language that may raise a question as to the limiting 
effect of the language in a claim: 

(A) statements of intended use or field of use, 

(B) “adapted to ’’ or “adapted for” clauses, 

( C) “wherein ” clauses, or 

(D) “whereby” clauses. 


Appropriate correction is required. 
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Claim Rejections - 35 USC §112 

3. The following is a quotation of the first paragraph of 35 U.S.C. 1 12: 

The specification shall contain a written description of the invention, and of the manner and process of making 
and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it 
pertains, or with which it is most nearly connected, to make and use the same and shall set forth the best mode 
contemplated by the inventor of carrying out his invention. 

4. Claims 1, 5-7, 10, 13, 15, 17, & 18 are rejected under 35 U.S.C. 1 12, first paragraph, as 
failing to comply with the written description requirement. The claim(s) contains subject matter 
which was not described in the specification in such a way as to reasonably convey to one skilled 
in the relevant art that the inventor(s), at the time the application was filed, had possession of the 
claimed invention. 

- Claim 1 : 

o Line 26 recites “independent of the authentication server” however, this limitation 
appears to lack support in view of the applicant’s original disclosure and is 
thereby considered as new matter; 

- Claim 5 : 

o Lines 6 & 8 recite “independent of the authentication server” however, this 
limitation appears to lack support in view of the applicant’s original disclosure 
and is thereby considered as new matter; 

Claim 6: 

o Line 24 recites “independent of the authentication server” however, this limitation 
appears to lack support in view of the applicant’s original disclosure and is 


thereby considered as new matter; 
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- Claim 7 : 

o Lines 16-18 recite “independent of the authentication server” however, this 
limitation appears to lack support in view of the applicant’s original disclosure 
and is thereby considered as new matter; 

- Claim 10: 

o Lines 6 & 7 recite “independent of the authentication server” however, this 
limitation appears to lack support in view of the applicant’s original disclosure 
and is thereby considered as new matter; 

- Claim 13: 

o Lines 28 & 35 recite “independent of the authentication server” however, this 
limitation appears to lack support in view of the applicant’s original disclosure 
and is thereby considered as new matter; 

- Claim 15: 

o Lines 4-6 recite “independent of the authentication server” however, this 
limitation appears to lack support in view of the applicant’s original disclosure 
and is thereby considered as new matter; 

- Claim 17: 

o Lines 4-6 recite “independent of the authentication server” however, this 
limitation appears to lack support in view of the applicant’s original disclosure 
and is thereby considered as new matter; 



Application/Control Number: 10/790,082 
Art Unit: 2436 


Page 9 


- Claim 18: 

o Lines 2, 5, 1 1, & 21 recite “independent of the authentication server” however, 
this limitation appears to lack support in view of the applicant’s original 
disclosure and is thereby considered as new matter; 

5. The following is a quotation of the second paragraph of 35 U.S.C. 112: 

The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the 
subject matter which the applicant regards as his invention. 

6. Claims 12 & 18 are rejected under 35 U.S.C. 112, second paragraph, as being indefinite 
for failing to partieularly point out and distinctly claim the subject matter which applicant 
regards as the invention. 

Claim 12 discloses “a connection method using a network connection system including a 
client apparatus, an authentication server, and a connection server” comprising several 
steps, however, it is unclear and difficult to determine which “server” or “apparatus” 
performs which step; 

Claim 18 discloses “a computer readable medium storing a program eausing a eomputer 
of a client apparatus to execute an access processing to a network system including an 
authentication server and a connection server” however, it is unclear as to at which point 
the client apparatus receives and stores, if ever, the first and second information 
generated by the connection server; 
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Claim Rejections - 35 USC §101 
1 . 35 U.S.C. 101 reads as follows: 

Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or 
any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and 
requirements of this title. 

Claims 1, 3, 5-7, 9-1 1 are rejected under 35 U.S.C. 101 because the claimed invention is 
directed to non- statutory subject matter. 

Claim 1 discloses “a network connection system” comprising “a client apparatus” and 
“authentication server” and “a connection server” however, these three components of the 
system appear to be merely software; that is, there does not appear to be supporting 
evidence in view of the applicant’s Specification or Drawings that would clearly illustrate 
or disclose that these components are hardware apparatuses and not merely computer 
software programs, thereby invoking 35 U.S.C. 101 as non-statutory subject matter; 

Claim 3 discloses “an authentication server for being connected to a plurality of client 
apparatuses and a plurality of connection servers” comprising a plurality of “units” which 
appear to be nothing more than computer software programs, thereby invoking 35 U.S.C. 
101 as non-statutory subject matter; 

Claim 5 discloses “a connection server operating with an authentication server and a 
client apparatus” comprising a plurality of “units” which appear to be nothing more than 
computer software programs, thereby invoking 35 U.S.C. 101 as non-statutory subject 
matter; 

Claim 6 discloses “a network connection system” comprising “a client apparatus” and 
“an authentication server” and “a coimection server” however, these three components of 
the system appear to be merely software with each comprising a plurality of “units” 
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which also appear to be nothing more than computer software programs, thereby 
invoking 35 U.S.C. 101 as non-statutory subject matter; 

Claim 7 discloses “an authentication server operating with a plurality of client 
apparatuses and a plurality of connection servers” comprising a plurality of “units” which 
appear to be nothing more than computer software programs, thereby invoking 35 U.S.C. 
101 as non-statutory subject matter; 

Claim 9 discloses “a client apparatus operating with an authentication server and a 
connection server” comprising a plurality of “units” which appear to be nothing more 
than computer software programs, thereby invoking 35 U.S.C. 101 as non-statutory 
subject matter; 

Claim 10 discloses “a connection server operating with a client apparatus and an 
authentication server” comprising a plurality of “units” which appear to be nothing more 
than computer software programs, thereby invoking 35 U.S.C. 101 as non-statutory 
subject matter; 

Claim 1 1 discloses “a network connection system” comprising “a client apparatus” and 
“authentication server” and “a connection server” however, these three components of the 
system appear to be merely software; that is, there does not appear to be supporting 
evidence in view of the applicant’s Specification or Drawings that would clearly illustrate 
or disclose that these components are hardware apparatuses and not merely computer 
software programs, thereby invoking 35 U.S.C. 101 as non-statutory subject matter; 



Application/Control Number: 10/790,082 
Art Unit: 2436 


Claim Rejections - 35 USC §103 

8. The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejeetions set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in 
section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are 
sueh that the subject matter as a whole would have been obvious at the time the invention was made to a person 
having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the 
manner in which the invention was made. 

9. Claims 5, 10, & 15 are rejected under 35 U.S.C. 103(a) as being unpatentable over Fuh et 
M.(US-6463474-Bl). 

Claims 5 & 15: 

Fuh et al disclose a eonnection server operating with an authentication server and a client 
apparatus comprising, 

- “switching from a state in which authentication information is not allowed to be received 
from the client address, independent of the authentication server, to a state in which 
authentication information is allowed to be received from the client address, independent 
of the authentication server” (i.e. “the firewall re-configures itself, in response to 
successful authentication, so that packets that would otherwise be barred are now allowed 
to pass”) [column 7 lines 58-61]; 

“the switching occurring in response to the receiving of the client address” (i.e. “In 
response to receiving the authentication information, the firewall performs an 
authentication”) [column 7 lines 50-51]; 
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“an authentication unit for receiving the authentication information from the client 
apparatus having the client address to perform itself an authentication process by using 
the authentication information” (i.e. “In response to receiving the authentication 
information, the firewall performs an authentication and authorization process”) [column 
7 lines 50-52]; 

but, they do not explicitly disclose, 

“a control unit for receiving a client address of the client apparatus from the 
authentication server after the authentication server authenticates information received 
from the client address,” although Fuh et al. do suggest including source and destination 
IP addresses in the packets used in communication between devices, as recited below; 
“wherein after a limited time period has elapsed since the control unit performs the 
switching, the control unit switches back from the state in which authentication 
information is allowed to be received from the client address, independent of the 
authentication server, to the state in which authentication information is not allowed to be 
received from the client address, independent of the authentication server,” although Fuh 
et al. do suggest switching modes/states, as recited below; 

however, Fuh et al do disclose, 

“Each packet of an HTTP request includes a header portion that contains one or more 
fields of information. The fields include, among other things, values for source IP address 
and destination IP address of that packef ’ [column 10 lines 23-24]; 

“the firewall re-configures itself, in response to successful authentication, so that packets 
that would otherwise be barred are now allowed to pass”) [column 7 lines 58-61]; 
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Therefore, it would have been obvious for one of ordinary skill in the art at the time of the 
applicant’s invention to include, “a control unit for receiving a client address of the client 
apparatus from the authentication server after the authentication server authenticates information 
received from the client address” and “wherein after a limited time period has elapsed since the 
control unit performs the switching, the control unit switches back from the state in which 
authentication information is allowed to be received from the client address, independent of the 
authentication server, to the state in which authentication information is not allowed to be 
received from the client address, independent of the authentication server,” in the invention as 
disclosed by Fuh et al for the purposes of providing adjustable access control based on the 
source and destination address of sent and received information. 

Claim 10: 

Fuh et al disclose a connection server operating with an authentication server and a client 
apparatus comprising, 

“switches, in response to the receiving of the address, from a state in which 
authentication information is not allowed to be received from the client address, 
independent of the authentication server, to a state in which authentication information is 
allowed to be received from the client address, independent of the authentication server” 
(i.e. “the firewall re-configures itself, in response to successful authentication, so that 
packets that would otherwise be barred are now allowed to pass”) [column 7 lines 58-61]; 
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“allows communication from the address of the client apparatus for a predetermined 
period” (i.e. “the firewall re-configures itself, in response to successful authentication, so 
that packets that would otherwise be barred are now allowed to pass”) [column 7 lines 
58-61]; 

“a transmitting unit that transmits to the authentication server information indicating that 
the connection server has shifted to a connection wait state in which the connection 
server allows communication from the address of the client apparatus for the 
predetermined period” (i.e. “the firewall re-configures itself, in response to successful 
authentication, so that packets that would otherwise be barred are now allowed to pass”) 
[column 7 lines 58-61]; 
but, they do not explicitly disclose, 

- “a control unit that receives from the authentication server an address of the client 
apparatus and,” although Fuh et al. do suggest including source and destination IP 
addresses in the packets used in communication between devices, as recited below; 
however, Fuh et al do disclose, 

“Each packet of an HTTP request includes a header portion that contains one or more 
fields of information. The fields include, among other things, values for source IP address 
and destination IP address of that packef ’ [column 10 lines 23-24]; 
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Therefore, it would have been obvious for one of ordinary skill in the art at the time of the 
applicant’s invention to include, “a control unit that receives from the authentication server an 
address of the client apparatus and,” in the invention as disclosed by Fuh et al. for the purposes 
of providing adjustable access control based on the source and destination address of sent and 
received information. 

10. Claims 1-3, 6, 7, 9, 11-14, 16, & 17 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over Lander (US-7350229-B1) in view of Fuh et al. (US-6463474-B1). 

Claims 1: 

Lander discloses a network connection system comprising, 

- “a client apparatus” (i.e. “a client”) [column 8 line 45]; 

“an authentication server” (i.e. “front-end server”) [column 8 line 45]; 

- “a connection server” (i.e. “back-end content servers”) [column 8 line 66]; 

“the authentication server includes: a retention unit for storing second connection 
authentication information generated by the connection server based on user 
identification information” (i.e. “memory 106, and at least one storage device”) [column 
8 line 47]; 

“a first unit for acquiring, from the client apparatus, second connection authentication 
information that is generated by the client apparatus based on user identification 
information input into the client apparatus” (i.e. “When the user signs onto the front-end 
server cluster 202, the central security process 222 transmits the user login data (e.g., 
username and password) to the policy server 204”) [column 1 1 lines 11-14]; 
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“acquiring a client address of the client apparatus when the first unit receives a 
connection request from the client apparatus” (i.e. “An electronic device, such as a front- 
end server 102 receives a client request 116”) [column 8 lines 44-45]; 

“the client apparatus includes: a third unit for transmitting the second connection 
authentication information generated by the client apparatus to the authentication server 
together with the connection request” (i.e. “When the user signs onto the front-end server 
cluster 202, the central security process 222 transmits the user login data (e.g., username 
and password) to the policy server 204”) [column 1 1 lines 11-14]; 
but. Lander does not explicitly disclose, 

- “storing an association between the second connection authentication information and a 
connection server address of the connection server,” although Fuh et al do suggest 
storing client authorization information, as recited below; 

“a second unit for transmitting the client address to the connection server address 
associated with the second connection authentication information acquired by the first 
unit,” although Fuh et al. do suggest sending and receiving source and destination IP 
addresses in the packets transmitted, as recited below; 

“transmitting the connection server address to the client apparatus,” although Fuh et al. 
do suggest sending and receiving source and destination IP addresses in the packets 
transmitted, as recited below; 

“a fourth unit for receiving the connection server address from the authentication server,” 
although Fuh et al. do suggest sending and receiving source and destination IP addresses 
in the packets transmitted, as recited below; 
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“a fifth unit for preparing first connection authentication information based on the user 
identifieation information input into the client apparatus,” although Fuh et al. do suggest 
user input identification information, as recited below; 

“transmitting, independent of the authentication server, the first connection authentication 
information to the connection server address of the connection server,” although Fuh et 
al do suggest receiving transmihed authentication information, as recited below; 

“the eonneetion server includes: a sixth unit for allowing the first connection 
authentication information to be received from the client apparatus, the client address 
being reeeived from the authentication server,” although Fuh et al. do suggest receiving 
transmitted authentication information, as recited below; 

“a seventh unit for performing itself an authentication process by using the first 
connection authentication information transmitted from the client address,” although Fuh 
et al. do suggest performing an authentication and authorization process, as recited 
below; 

“the authentication server, in response to receiving the second connection authentication 
information from the client apparatus, searches the retention unit for the second 
connection authentication information to determine the connection server address 
associated with the second connection authentication information,” although Fuh et al. do 
suggest verification through matching, as recited below; 
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however, Fuh et al do disclose, 

“storing client authorization information at the network device” [column 3 lines 5-6]; 

“The fields include, among other things, values for source IP address and destination IP 
address of that packet” [column 10 lines 23-24]; 

“A User 302 may enter username information in Username field 504 and may enter 
password information in Password field 506. To communicate the username and 
password information to Authentication Proxy 400, the user selects a "Submit" button 
508” [column 11 lines 61-66]; 

“Upon intercepting the HTTP packets, the firewall requests, from the client, 
authentication information such as username and password” [column 7 lines 48-50]; 

“In response to receiving the authentication information, the firewall performs an 
authentication and authorization process” [column 7 lines 50-52]; 

“determining whether a source IP address of the client in the request matches information 
in a filtering mechanism of the network device; and if so, determining whether the source 
IP address matches the authorization information stored in the network device” [column 3 
lines 48-52]; 

Therefore, it would have been obvious for one of ordinary skill in the art at the time of the 
applicant’s invention to include, “storing an association between the second connection 
authentication information and a connection server address of the connection server” and “a 
second unit for transmitting the client address to the connection server address associated with 
the second connection authentication information acquired by the first unit” and “transmitting the 
connection server address to the client apparatus” and “a fourth unit for receiving the connection 
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server address from the authentication server” and “a fifth unit for preparing first connection 
authentication information based on the user identification information input into the client 
apparatus” and “transmitting, independent of the authentication server, the first connection 
authentication information to the connection server address of the connection server” and “the 
connection server includes: a sixth unit for allowing the first connection authentication 
information to be received from the client apparatus, the client address being received from the 
authentication server” and “a seventh unit for performing itself an authentication process by 
using the first connection authentication information transmitted from the client address” and 
“the authentication server, in response to receiving the second connection authentication 
information from the client apparatus, searches the retention unit for the second connection 
authentication information to determine the connection server address associated with the second 
connection authentication information,” in the invention as disclosed by Lander for the purposes 
of providing authentication based on multiple parts of information (i.e. address information, user 
identity, etc). 

Claim 2: 

Lander and Fuh et al. disclose a network connection system, as in Claim 1 , their combination 
further comprising, 

“the second connection authentication information is a message digest of the first 
connection authentication information” (i.e. “The user identifier may also be encrypted as 
an additional security precaution”) [column 1 1 lines 46-48]. 
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Claim 14: 

Lander and Fuh et al. disclose a network coimection system, as in Claim 1, but Lander does not 
explicitly disclose, 

“wherein the sixth unit of the connection server allows the first connection authentication 
information to be received from the client address for a limited time period,” although 
Fuh et al do suggest reconfiguration to permit access, as recited below; 
however, Fuh et al do disclose, 

- “In this context, "open a passageway" means that the firewall re-configures itself, in 
response to successful authentication, so that packets that would otherwise be barred are 
now allowed to pass” [column 7 lines 58-61]; 

Therefore, it would have been obvious for one of ordinary skill in the art at the time of the 
applicant’s invention to include, “wherein the sixth unit of the connection server allows the first 
connection authentication information to be received from the client address for a limited time 
period,” in the invention as disclosed by Lander for the purposes of adjusting access control for 
permitting access. 

Claim 3 : 

Lander discloses an authentication server for being connected to a plurality of client apparatuses 
and a plurality of connection servers comprising, 

“a retention unit for storing second connection authentication information generated 
based on user identification information” (i.e. “memory 106, and at least one storage 
device”) [column 8 line 47]; 
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“a first unit for aequiring the second connection authentication information from a client 
apparatus and a elient address when the first unit receives a connection request from the 
elient apparatus” (i.e. “When the user signs onto the front-end server cluster 202, the 
eentral seeurity process 222 transmits the user login data (e.g., username and password) 
to the poliey server 204”) [column 1 1 lines 11-14]; 
but. Lander does not explicitly disclose, 

“storing an assoeiation between each second connection authentication information and a 
connection server address of a corresponding connection server,” although Fuh et al do 
suggest storing elient authorization information, as recited below; 

- “a seeond unit for transmitting the acquired client address to the connection server 
address of the eonnection server associated with the acquired second connection 
authentication information,” although Fuh et al. do suggest sending and receiving source 
and destination IP addresses in the packets transmitted, as recited below; 

“transmitting, independent of the connection server, the connection server address to the 
client apparatus which has transmitted the connection request,” although Fuh et al do 
suggest sending and receiving source and destination IP addresses in the packets 
transmitted, as recited below; 

“wherein the authentication server, in response to receiving the second connection 
authentication information from the client apparatus, searches the retention unit for the 
second connection authentication information to determine the connection server address 
associated with the second connection authentication information,” although Fuh et al. do 
suggest verification based on matching, as recited below; 
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however, Fuh et al do disclose, 

“storing client authorization information at the network device” [column 3 lines 5-6]; 

“The fields include, among other things, values for source IP address and destination IP 
address of that packet” [column 10 lines 23-24]; 

“determining whether a source IP address of the client in the request matches information 
in a filtering mechanism of the network device; and if so, determining whether the source 
IP address matches the authorization information stored in the network device” [column 3 
lines 48-52]; 

Therefore, it would have been obvious for one of ordinary skill in the art at the time of the 
applicant’s invention to include, “storing an association between each second connection 
authentication information and a connection server address of a corresponding connection 
server” and “a second unit for transmitting the acquired client address to the connection server 
address of the connection server associated with the acquired second connection authentication 
information” and “transmitting, independent of the connection server, the conneetion server 
address to the client apparatus which has transmitted the connection request” and “wherein the 
authentication server, in response to receiving the second connection authentication information 
from the client apparatus, searches the retention unit for the second connection authentication 
information to determine the connection server address associated with the second connection 
authentication information,” in the invention as disclosed by Lander for the purposes of 
providing authentication based on multiple parts of information (i.e. address information, user 
identity, etc). 
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Claim 6: 

Lander discloses a network connection system comprising, 

“a client apparatus” (i.e. “a client”) [column 8 line 45]; 

“an authentication server” (i.e. “front-end server”) [column 8 line 45]; 

“a connection server” (i.e. “back-end content servers”) [column 8 line 66]; 

- “the authentication server includes: a retention unit for storing a first encrypted user name 
and a first encrypted password, which are encrypted by a first encryption method” (i.e. 
“memory 106, and at least one storage device”) [column 8 line 47]; 

“a first unit for acquiring the first encrypted user name and the first encrypted password 
and a client address when the first unit receives a connection request from the client 
apparatus” (i.e. “When the user signs onto the front-end server cluster 202, the central 
security process 222 transmits the user login data (e.g., username and password) to the 
policy server 204”) [column 1 1 lines 11-14]; 

“the first encrypted user name and the first encrypted password being an identification for 
identifying a user of the client apparatus” (i.e. “The user identifier may also be encrypted 
as an additional security precaution”) [column 1 1 lines 46-48]; 

“the client apparatus includes: a third unit for transmitting to the authentication server the 
first encrypted user name and the first encrypted password, which are encrypted by the 
first encryption method together with the connection request” (i.e. “When the user signs 
onto the front-end server cluster 202, the central security process 222 transmits the user 
login data (e.g., username and password) to the policy server 204”) [column 1 1 lines 11- 


14 ]; 



Application/Control Number: 10/790,082 Page 25 

Art Unit: 2436 

“transmitting, independent of the authentication server, to the connection server address a 
second encrypted user name and a second encrypted password, which are generated by 
enerypting using a second encryption method a user name and a password input by the 
user” (i.e. “The user identifier may also be encrypted as an additional security 
precaution”) [column 1 1 lines 46-48]; 
but. Lander does not explicitly disclose, 

“storing an assoeiation between a connection server address of the connection server and 
the first enerypted user name and first encrypted password,” although Fuh et al do 
suggest storing elient authorization information, as recited below; 

- “a seeond unit for transmitting the acquired client address to the connection server 
address associated with the user identification information,” although Fuh et al do 
suggest sending and receiving source and destination IP addresses in the packets 
transmitted, as recited below; 

“receiving from the connection server information indicating that the eonneetion server 
has shifted to a connection wait state,” although Fuh et al. do suggest reconfiguration to 
permit access, as recited below; 

“transmitting, independent of the connection server, the connection server address to the 
client apparatus,” although Fuh et al. do suggest sending and receiving source and 
destination IP addresses in the packets transmitted, as recited below; 

“a fourth unit for receiving the connection server address from the authentication server,” 
although Fuh et al. do suggest sending and receiving source and destination IP addresses 
in the packets transmitted, as recited below; 
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“the authentieation server, in response to receiving the first encrypted user name and the 
first enerypted password from the client apparatus, searches the retention unit for the first 
enerypted user name and the first encrypted password to determine the connection server 
address assoeiated with the first encrypted user name and the first encrypted password,” 
although Fuh et al. do suggest verification based on matching, as recited below; 
however, Fuh et al. do disclose, 

“storing elient authorization information at the network device” [column 3 lines 5-6]; 

- “The fields inelude, among other things, values for source IP address and destination IP 
address of that paeket” [column 10 lines 23-24]; 

- “In this eontext, "open a passageway" means that the firewall re-configures itself, in 
response to successful authentication, so that packets that would otherwise be barred are 
now allowed to pass” [column 7 lines 58-61]; 

“determining whether a source IP address of the client in the request matehes information 
in a filtering mechanism of the network device; and if so, determining whether the source 
IP address matches the authorization information stored in the network device” [eolumn 3 
lines 48-52]; 

Therefore, it would have been obvious for one of ordinary skill in the art at the time of the 
applicant’s invention to include, “storing an association between a connection server address of 
the connection server and the first encrypted user name and first encrypted password” and “a 
second unit for transmitting the acquired client address to the connection server address 
associated with the user identification information” and “receiving from the connection server 
information indicating that the connection server has shifted to a connection wait state” and 
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“transmitting, independent of the connection server, the connection server address to the client 
apparatus” and “a fourth unit for receiving the coimection server address from the authentication 
server” and “the authentieation server, in response to receiving the first encrypted user name and 
the first enerypted password from the client apparatus, searches the retention unit for the first 
enerypted user name and the first encrypted password to determine the connection server address 
assoeiated with the first encrypted user name and the first encrypted password,” in the invention 
as diselosed by Lander for the purposes of providing authentication based on multiple parts of 
information (i.e. address information, user identity, etc). 

Claim 7 : 

Lander discloses an authentication server operating with a plurality of client apparatuses and a 
plurality of connection servers comprising, 

- “a retention unit for storing user names and passwords, which are encrypted by a 
predetermined method” (i.e. “memory 106, and at least one storage device”) [column 8 
line 47]; 

- “a first unit for acquiring an acquired encrypted user name, an acquired enerypted 
password, and an acquired client address when the first unit receives a connection request 
from the client apparatus” (i.e. “When the user signs onto the front-end server cluster 
202, the central security process 222 transmits the user login data (e.g., username and 
password) to the policy server 204”) [column 1 1 lines 11-14]; 

“the encrypted user name and password being an identification information of a user of 
the client apparatus” (i.e. “The user identifier may also be encrypted as an additional 
security precaution”) [column 11 lines 46-48]; 
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but, Lander does not explicitly disclose, 

“storing association between both of each user name and each password and a connection 
server address of a corresponding connection server,” although Fuh et al do suggest 
storing client authorization information, as recited below; 

“a second unit for transmihing the acquired client address to the connection server 
address associated with the acquired encrypted user name and password,” although Fuh 
et al. do suggest sending and receiving source and destination IP addresses in the packets 
transmitted, as recited below; 

“receiving from the connection server information indicating that the connection server 
has shifted state in which authentication information is not allowed to be received from 
the client address, independent of the authentication server, to a state in which 
authentication information is allowed to be received from the client address, independent 
of the authentication server,” although Fuh et al. do suggest reconfiguration to permit 
access, as recited below; 

- “transmitting, independent of the connection server, the connection server address to the 
client apparatus, which has issued the connection request,” although Fuh et al. do suggest 
sending and receiving source and destination IP addresses in the packets transmitted, as 


recited below; 
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“the authentieation server, in response to receiving the identification information of a 
user of the elient apparatus from the client apparatus, searches the retention unit for the 
identifieation information of a user of the client apparatus to determine the connection 
server address associated with the identification information of a user of the client 
apparatus,” although Fuh et al, do suggest verification based on matching, as recited 
below; 

however, Fuh et al do diselose, 

- “storing elient authorization information at the network device” [column 3 lines 5-6]; 

“The fields inelude, among other things, values for source IP address and destination IP 
address of that paeket” [column 10 lines 23-24]; 

“In this context, "open a passageway" means that the firewall re-configures itself, in 
response to successful authentication, so that packets that would otherwise be barred are 
now allowed to pass” [column 7 lines 58-61]; 

“determining whether a source IP address of the client in the request matehes information 
in a filtering mechanism of the network device; and if so, determining whether the source 
IP address matches the authorization information stored in the network device” [column 3 
lines 48-52]; 

Therefore, it would have been obvious for one of ordinary skill in the art at the time of the 
applicant’s invention to include, “storing association between both of each user name and each 
password and a connection server address of a corresponding connection server” and “a second 
unit for transmitting the acquired client address to the connection server address associated with 
the acquired encrypted user name and password” and “receiving from the connection server 
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information indicating that the connection server has shifted state in which authentication 
information is not allowed to be received from the client address, independent of the 
authentication server, to a state in which authentication information is allowed to be received 
from the client address, independent of the authentication server” and “transmitting, independent 
of the connection server, the connection server address to the client apparatus, which has issued 
the connection request” and “the authentication server, in response to receiving the identification 
information of a user of the client apparatus from the client apparatus, searches the retention unit 
for the identification information of a user of the client apparatus to determine the connection 
server address associated with the identification information of a user of the client apparatus,” in 
the invention as disclosed by Lander for the purposes of providing authentication based on 
multiple parts of information (i.e. address information, user identity, etc). 

Claim 9: 

Lander discloses a client apparatus operating with an authentication server and a connection 
server comprising, 

- “a connection request unit for transmitting to the authentication server a connection 
request and a user name and a password which are encrypted by a first encr}q)tion 
method” (i.e. “When the user signs onto the front-end server cluster 202, the central 
security process 222 transmits the user login data (e.g., username and password) to the 
policy server 204”) [column 11 lines 11-14]; 

“encrypting by a second encryption method the user name and the password input by a 
user” (i.e. “The user identifier may also be encrypted as an additional security 
precaution”) [column 1 1 lines 46-48]; 
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“a retention unit for storing local authentication information, which is previously supplied 
from the eonneetion server” (i.e. “memory 106, and at least one storage device”) [column 
8 line 47]; 

“the eonneetion request unit transmits to the authentication server the connection request 
and the user name and the password which are encrypted by the first method only when 
the user name and the password input by the user are authenticated by the local 
authentication unit” (i.e. “When the user signs onto the front-end server cluster 202, the 
eentral seeurity proeess 222 transmits the user login data (e.g., username and password) 
to the poliey server 204”) [column 1 1 lines 11-14]; 
but. Lander does not explicitly disclose, 

“a receiving unit for receiving, independent of the connection server, a connection server 
address from the authentication server,” although Fuh et al. do suggest sending and 
receiving source and destination IP addresses in the packets transmitted, as recited below; 
“a transmitting unit for transmitting the encrypted user name and password to the 
connection server address,” although Fuh et al. do suggest receiving transmitted 
authentication information, as recited below; 

“the local authentication information associating unique information of the client 
apparatus with at least one of a user name and a password previously provided to the 
connection server,” although Fuh et al. do suggest storing client authorization 


information, as recited below; 
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“a local authentication unit for generating the unique information upon receiving a user 
name and a password input by the user,” although Fuh et al. do suggest user input 
identification information, as recited below; 

“authenticating the user name and the password input by the user by judging based on the 
local authentication information whether or not at least one of the user name and the 
password input by the user is associated with the unique information,” although Fuh et al. 
do suggest performing an authentication and authorization process, as recited below; 
however, Fuh et al do disclose, 

“The fields include, among other things, values for source IP address and destination IP 
address of that packet” [column 10 lines 23-24]; 

“Upon intercepting the HTTP packets, the firewall requests, from the client, 
authentication information such as username and password” [column 7 lines 48-50]; 
“storing client authorization information at the network device” [column 3 lines 5-6]; 

“A User 302 may enter username information in Username field 504 and may enter 
password information in Password field 506. To communicate the username and 
password information to Authentication Proxy 400, the user selects a "Submit" button 
508” [column 11 lines 61-66]; 

“In response to receiving the authentication information, the firewall performs an 
authentication and authorization process” [column 7 lines 50-52]; 


Therefore, it would have been obvious for one of ordinary skill in the art at the time of the 
applicant’s invention to include, “a receiving unit for receiving, independent of the connection 
server, a connection server address from the authentication server” and “a transmitting unit for 
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transmitting the enerypted user name and password to the connection server address” and “the 
local authentication information associating unique information of the client apparatus with at 
least one of a user name and a password previously provided to the connection server” and “a 
local authentication unit for generating the unique information upon receiving a user name and a 
password input by the user” and “authenticating the user name and the password input by the 
user by judging based on the local authentication information whether or not at least one of the 
user name and the password input by the user is associated with the unique information,” in the 
invention as diselosed by Lander for the purposes of providing authentication based on multiple 
parts of information (i.e. address information, user identity, etc). 

Claim 1 1 : 

Lander discloses a network connection system comprising, 

- “a client apparatus” (i.e. “a client”) [column 8 line 45]; 

“an authentication server for supplying information guiding a conneetion destination to 
the client apparatus” (i.e. “front-end server”) [column 8 line 45]; 

- “a connection server” (i.e. “back-end content servers”) [column 8 line 66]; 

“if authentication is successful, encrypts the second authentication information by a first 
encryption method” (i.e. “The user identifier may also be encr 5 q)ted as an additional 
security precaution”) [column 1 1 lines 46-48]; 

“transmits the encrypted second authentication information to the authentication server” 
(i.e. “When the user signs onto the front-end server cluster 202, the central security 
process 222 transmits the user login data (e.g., username and password) to the policy 
server 204”) [column 11 lines 11-14]; 
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but, Lander does not explicitly disclose, 

“wherein the client apparatus: calculates first authentication information unique to the 
client apparatus to register the first authentication information in the connection server,” 
although Fuh et al. do suggest storing client authorization information, as recited below; 
“acquires local authentication information from the connection server,” although Fuh et 
al do suggest storing client authorization information, as recited below; 

“the local authentication information associating the first authentication information with 
a predetermined authentication information and second authentication information with 
the predetermined authentication information,” although Fuh et al. do suggest storing 
client authorization information, as recited below; 

“stores the local authentication information,” although Fuh et al. do suggest storing client 
authorization information, as recited below; 

“receives second authentication information input by a user when the user instructs a 
connection request with respect to the connection server,” although Fuh et al. do suggest 
receiving transmitted authentication information, as recited below; 

“again calculates the first authentication information unique to the client apparatus,” 
although Fuh et al. do suggest receiving transmitted authentication information, as recited 
below; 

“authenticates the second authentication information and the again calculated first 
authentication information based on the stored local authentication information,” 
although Fuh et al. do suggest verification based on matching, as recited below; 
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“receives, independent of the connection server, from the authentication server a 
connection server address of the connection server,” although Fuh et al do suggest 
sending and receiving source and destination IP addresses in the packets transmitted, as 
recited below; 

“transmits to the connection server address the second authentication information 
encrypted by a second encryption method,” although Fuh et al. do suggest sending and 
receiving source and destination IP addresses in the packets transmitted, as recited below; 

- “starts communication with the connection server,” although Fuh et al do suggest 
permitting access, as recited below; 

however, Fuh et al do disclose, 

“storing client authorization information at the network device” [column 3 lines 5-6]; 

- “Upon intercepting the HTTP packets, the firewall requests, from the client, 
authentication information such as username and password” [column 7 lines 48-50]; 

“A User 302 may enter username information in Username field 504 and may enter 
password information in Password field 506. To communicate the username and 
password information to Authentication Proxy 400, the user selects a "Submit" button 
508” [column 11 lines 61-66]; 

“determining whether a source IP address of the client in the request matches information 
in a filtering mechanism of the network device; and if so, determining whether the source 
IP address matches the authorization information stored in the network device” [column 3 


lines 48-52]; 
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“The fields inelude, among other things, values for source IP address and destination IP 
address of that packet” [column 10 lines 23-24]; 

“In this eontext, "open a passageway" means that the firewall re-configures itself, in 
response to sueeessful authentication, so that packets that would otherwise be barred are 
now allowed to pass” [column 7 lines 58-61]; 

Therefore, it would have been obvious for one of ordinary skill in the art at the time of the 
applieant’s invention to inelude, “wherein the client apparatus: calculates first authentication 
information unique to the client apparatus to register the first authentication information in the 
connection server” and “aequires local authentication information from the connection server” 
and “the local authentication information associating the first authentication information with a 
predetermined authentieation information and second authentication information with the 
predetermined authentication information” and “stores the local authentication information” and 
“receives second authentication information input by a user when the user instructs a connection 
request with respect to the connection server” and “again calculates the first authentieation 
information unique to the client apparatus” and “authenticates the second authentication 
information and the again calculated first authentication information based on the stored local 
authentication information” and “receives, independent of the connection server, from the 
authentication server a connection server address of the connection server” and “transmits to the 
connection server address the second authentication information encrypted by a second 
encryption method” and “starts communication with the connection server,” in the invention as 
disclosed by Lander for the purposes of providing authentication based on multiple parts of 
information (i.e. address information, user identity, etc). 
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Claims 12 & 16: 

Lander discloses a connection method using a network connection system including a client 
apparatus, an authentication server, and a connection server comprising, 

“acquiring a client address and the user identifying information from the client apparatus 
when the authentication server receives the connection request from the client apparatus” 
(i.e. “memory 106, and at least one storage device”) [column 8 line 47]; 

“transmitting by the client apparatus to the authentication server a second connection 
authentication information generated by the client apparatus as user identification 
information together with a connection requesf ’ (i.e. “When the user signs onto the front- 
end server cluster 202, the central security process 222 transmits the user login data (e.g., 
username and password) to the policy server 204”) [column 1 1 lines 11-14]; 

- “acquiring a client address and the user identifying information from the client apparatus 
when the authentication server receives the connection request from the elient apparatus” 
(i.e. “When the user signs onto the front-end server cluster 202, the eentral security 
process 222 transmits the user login data (e.g., username and password) to the poliey 
server 204”) [column 11 lines 11-14]; 
but. Lander does not explicitly disclose, 

“associating the second connection authentication information with a connection server 
address of the connection server,” although Fuh et al. do suggest storing client 
authorization information, as recited below; 
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“transmitting the elient address to the connection server address of the connection server 
when the user identification information is authenticated based on the second connection 
authentication information,” although Fuh et al. do suggest sending and receiving source 
and destination IP addresses in the packets transmitted, as recited below; 

“transmitting the eonnection server address to the client apparatus,” although Fuh et al. 
do suggest sending and receiving source and destination IP addresses in the packets 
transmitted, as reeited below; 

“reeeiving by the elient apparatus, independent of the connection server, the connection 
server address from the authentication server,” although Fuh et al do suggest sending and 
receiving souree and destination IP addresses in the packets transmitted, as recited below; 
“transmitting by the client apparatus a first connection authentication information to the 
connection server address,” although Fuh et al. do suggest receiving transmitted 
authentication information, as recited below; 

“receiving by the connection server the first connection authentication information from 
the client address,” although Fuh et al. do suggest receiving transmitted authentication 
information, as recited below; 

“performing an authentication process by using the first connection authentication 
information transmitted from the client address,” although Fuh et al. do suggest 
performing an authentication and authorization process, as recited below; 

“allowing the connection server to receive the first connection authentication information 
from the client address for a limited time period,” although Fuh et al. do suggest 
permitting access, as recited below; 
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however, Fuh et al do disclose, 

“storing client authorization information at the network device” [column 3 lines 5-6]; 
“The fields include, among other things, values for source IP address and destination IP 
address of that packet” [column 10 lines 23-24]; 

“Upon intercepting the HTTP packets, the firewall requests, from the client, 
authentication information such as username and password” [column 7 lines 48-50]; 

“In response to receiving the authentication information, the firewall performs an 
authentication and authorization process” [column 7 lines 50-52]; 

“In this context, "open a passageway" means that the firewall re-configures itself, in 
response to successful authentication, so that packets that would otherwise be barred are 
now allowed to pass” [column 7 lines 58-61]; 

Therefore, it would have been obvious for one of ordinary skill in the art at the time of the 
applicant’s invention to include, “associating the second connection authentication information 
with a connection server address of the connection server” and “transmitting the client address to 
the connection server address of the connection server when the user identification information is 
authenticated based on the second connection authentication information” and “transmitting the 
connection server address to the client apparatus” and “receiving by the client apparatus, 
independent of the connection server, the coimection server address from the authentication 
server” and “transmitting by the client apparatus a first connection authentication information to 
the connection server address” and “receiving by the coimection server the first connection 
authentication information from the client address” and “performing an authentication process by 
using the first connection authentication information transmitted from the client address” and 
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“allowing the eonneetion server to receive the first connection authentication information from 
the elient address for a limited time period,” in the invention as disclosed by Lander for the 
purposes of providing authentication based on multiple parts of information (i.e. address 
information, user identity, etc). 

Claims 13 & 17: 

Lander diseloses a eonneetion method using a network connection system including a client 
apparatus, an authentieation server, and a connection server comprising, 

- “storing by the authentication server a user name and a password which are encrypted by 
a first eneryption method” (i.e. “memory 106, and at least one storage device”) [column 8 
line 47]; 

“transmitting by the client apparatus to the authentication server a connection request and 
the user name and the password which are encrypted by the first encryption method” (i.e. 
“When the user signs onto the front-end server cluster 202, the central security process 
222 transmits the user login data (e.g., username and password) to the poliey server 204”) 
[column 11 lines 11-14]; 

“receiving by the authentication server the connection request from the client apparatus” 
(i.e. “When the user signs onto the front-end server cluster 202, the central security 
process 222 transmits the user login data (e.g., username and password) to the policy 
server 204”) [column 11 lines 11-14]; 
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“acquiring a client address of the client apparatus and the user name and the password, 
which are encrypted by the first encryption method, as information identifying a user of 
the client apparatus” (i.e. “When the user signs onto the Ifont-end server cluster 202, the 
central security process 222 transmits the user login data (e.g., username and password) 
to the policy server 204”) [column 1 1 lines 11-14]; 

- “encrypting using a second encryption method a user name and a password input by a 
user” (i.e. “The user identifier may also be encrypted as an additional security 
precaution”) [column 11 lines 46-48]; 

but. Lander does not explicitly disclose, 

- “storing in a retention unit in the authentication server an association between both the 
encrypted user name and the encrypted password and a connection server address of the 
connection server,” although Fuh et al. do suggest storing client authorization 
information, as recited below; 

“searching, by the authentication server, in response to receiving the information 
identifying the user of the client apparatus from the client apparatus, the retention unit for 
the information identifying the user of the client apparatus to determine the connection 
server address associated with the information identifying the user of the client 
apparatus,” although Fuh et al. do suggest verification based on matching, as recited 
below; 

“transmitting the client address to the coimection server address,” although Fuh et al. do 
suggest sending and receiving source and destination IP addresses in the packets 


transmitted, as recited below; 



Application/Control Number: 10/790,082 
Art Unit: 2436 


Page 42 


“receiving by the connection server the client address,” although Fuh et al do suggest 
sending and receiving source and destination IP addresses in the packets transmitted, as 
recited below; 

“switching, by the connection server, from a state in which authentication information is 
not allowed to be received from the client address, independent of the authentication 
server, to a state in which authentication information is allowed to be received from the 
client address, independent of the authentication server,” although Fuh et al do suggest 
reconfiguration to permit access, as recited below; 

“the switching occurring in response to the receiving of the client address,” although Fuh 
et al do suggest performing actions in response to receiving from a client, as recited 
below; 

“transmitting to the authentication server information indicating that the connection 
server has shifted to a connection wait state in which the connection server allows 
communication from the address of the client apparatus for a predetermined period,” 
although Fuh et al. do suggest reconfiguration to permit access, as recited below; 
“transmitting, independent of the authentication server, to the connection server address 
the user name and the password which are encrypted by the second encryption method,” 
although Fuh et al do suggest receiving transmitted authentication information, as recited 


below; 
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“performing, by the connection server, an authentication process by using the user name 
and the password which are encrypted by the second encryption method and are received 
by the connection server from the client apparatus,” although Fuh et al. do suggest 
performing an authentication and authorization process, as recited below; 

“after a limited time period has elapsed since the connection server performs the 
switching, switching back from the state in which authentication information is allowed 
to be received from the client address, independent of the authentication server, to the 
state in which authentication information is not allowed to be received from the client 
address, independent of the authentication server,” although Fuh et al do suggest 
reconfiguration of access control for permitting/denying access, as recited below; 
however, Fuh et al do disclose, 

- “storing client authorization information at the network device” [column 3 lines 5-6]; 
“determining whether a source IP address of the client in the request matches information 
in a filtering mechanism of the network device; and if so, determining whether the source 
IP address matches the authorization information stored in the network device” [column 3 
lines 48-52]; 

“The fields include, among other things, values for source IP address and destination IP 
address of that packet” [column 10 lines 23-24]; 

“In this context, "open a passageway" means that the firewall re-configures itself, in 
response to successful authentication, so that packets that would otherwise be barred are 
now allowed to pass” [column 7 lines 58-61]; 
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“Upon intereepting the HTTP packets, the firewall requests, from the client, 
authentieation information such as username and password” [column 7 lines 48-50]; 

“In response to receiving the authentication information, the firewall performs an 
authentieation and authorization process” [column 7 lines 50-52]; 

Therefore, it would have been obvious for one of ordinary skill in the art at the time of the 
applieant’s invention to include, “storing in a retention unit in the authentication server an 
assoeiation between both the encrypted user name and the encrypted password and a connection 
server address of the eonneetion server” and “searching, by the authentication server, in response 
to receiving the information identifying the user of the client apparatus from the client apparatus, 
the retention unit for the information identifying the user of the client apparatus to determine the 
connection server address associated with the information identifying the user of the client 
apparatus” and “transmitting the client address to the connection server address” and “receiving 
by the connection server the client address” and “switching, by the eonneetion server, from a 
state in which authentication information is not allowed to be received from the elient address, 
independent of the authentication server, to a state in which authentication information is 
allowed to be received from the client address, independent of the authentication server” and 
“the switching occurring in response to the receiving of the client address” and “transmitting to 
the authentication server information indicating that the connection server has shifted to a 
connection wait state in which the connection server allows communication from the address of 
the client apparatus for a predetermined period” and “transmitting, independent of the 
authentication server, to the connection server address the user name and the password which are 
encrypted by the second encryption method” and “performing, by the connection server, an 
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authentication process by using the user name and the password which are encrypted by the 
second encryption method and are received by the coimection server from the client apparatus” 
and “after a limited time period has elapsed since the connection server performs the switching, 
switching back from the state in which authentication information is allowed to be received from 
the client address, independent of the authentication server, to the state in which authentication 
information is not allowed to be received from the client address, independent of the 
authentication server,” in the invention as disclosed by Lander for the purposes of providing 
authentication based on multiple parts of information (i.e. address information, user identity, 
etc). 

1 1 . Claim 1 8 is rejected under 35 U.S.C. 1 03(a) as being unpatentable over Lander (US- 
7350229-Bl) in view of Fuh et al. (US-6463474-B11 and in view of Johnson (US-20030 163691- 
Al). 

Lander discloses a computer readable medium storing a program causing a computer of a client 
apparatus to execute an access processing to a network system including an authentication server 
and a connection server comprising, 

“user identification information encrypted by the connection server with a first 
encryption method” (i.e. “The user identifier may also be encrypted as an additional 
security precaution”) [column 1 1 lines 46-48]; 

“encrypting the received user identification information with the first encryption method 
when the decrypted first and second information is correct” (i.e. “The user identifier may 
also be encrypted as an additional security precaution”) [column 1 1 lines 46-48]; 



Application/Control Number: 10/790,082 
Art Unit: 2436 


Page 46 


“transmitting, to the authentication server, an access request and the received used 
identifieation information encr}rpted with the first encryption method” (i.e. “When the 
user signs onto the front-end server cluster 202, the central security process 222 transmits 
the user login data (e.g., username and password) to the policy server 204”) [column 1 1 
lines 11-14]; 

but. Lander does not explicitly disclose, 

“wherein, the authentication server includes (i) a first unit that acquires, from the 
eonneetion server, an address of the connection server and,” although Fuh et al do 
suggest sending and receiving source and destination IP addresses in the packets 
transmitted, as recited below; 

“(ii) a first retention unit that stores the address of the connection server and the 
encrypted user identification information which are acquired by the first unit,” although 
Fuh et al. do suggest storing client authorization information, as reeited below; 

“the connection server includes a second retention unit that stores unique information 
which is unique to the client apparatus and the user identification information,” although 
Fuh et al. do suggest storing client authorization information, as recited below; 

“the client apparatus includes a third retention unit that stores an address of the 
authentication server, first information and second information,” although Fuh et al. do 
suggest several devices/apparatuses that are expected to have some form of storage in 


order to function, as recited below; 
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“the aeeess proeessing comprising: requesting a user to enter user identification 
information,” although Fuh et al. do suggest requesting user identification input, as 
recited below; 

“receiving user identification information from the user,” although Fuh et al. do suggest 
user entering identification input, as recited below; 

“generating unique information which is unique to the client apparatus in response to 
receiving the user identification information,” although Fuh et al do suggest user input 
identification information, as recited below; 

“judging whether the decrypted first and second information are correct,” although Fuh et 
^ do suggest performing an authentication and authorization process, as recited below; 
“wherein the first information is generated by the connection server by encr 5 q)ting 
predetermined information with the unique information as a key,” although Johnson does 
suggest hashing/encrypting a first set of information, as recited below; 

“the second information is generated by the connection server by encr 5 q)ting 
predetermined information with the user identification information as a key,” although 
Johnson does suggest encrypting a second set of information, as recited below; 
“decrypting the first information stored in the third retention unit by using the generated 
unique information as a key,” although Johnson does suggest decryption of previously 
encrypted information, as recited below; 

“decrypting the second information stored in the third retention unit by using the received 
user identification information as a key,” although Johnson does suggest decryption of 
previously encrypted information, as recited below; 
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however, Fuh et al do disclose, 

“The fields include, among other things, values for source IP address and destination IP 
address of that packet” [column 10 lines 23-24]; 

“storing client authorization information at the network device” [column 3 lines 5-6]; 
[FIG 3 illustrates a user client making a request to a firewall router and authentication 
server where it would not be unreasonable to expect a user client to have memory for 
storing information temporarily if not for an extended amount of time]; 

- “The login form is an electronic document that requests User 302 to enter username and 
password information, as shown by path 403” [column 1 1 lines 53-55]; 

- “To communicate the username and password information to Authentication Proxy 400, 
the user selects a "Submit" button 508” [column 1 1 lines 63-66]; 

- “A User 302 may enter username information in Username field 504 and may enter 
password information in Password field 506. To communicate the username and 
password information to Authentication Proxy 400, the user selects a "Submit" button 
508” [column 11 lines 61-66]; 

“In response to receiving the authentication information, the firewall performs an 
authentication and authorization process” [column 7 lines 50-52]; 
whereas, Johnson does disclose, 

“Once the user ID is received, the method computes a message digest of the user ID (step 
215). This message digest is simply a binary number that is representative of the user ID. 
In this regard, the message digest may be a simple checksum or other processed value” 
[page 5 para 55 lines 11-13]; 
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“Once the encryption key is selected, the concatenated or otherwise combined message is 
encrypted using the access encryption key (step 240). Again, consistent with the scope 
and spirit of the invention, any of a variety of a known encryption methodologies or 
algorithms may be employed to perform this step” [page 5 para 62 lines 1-3]; 

“Although not separately illustrated, it should be appreciated that the decryption process 
is simply the opposite of the encryption process that was illustrated in FIG. 3” [page 6 
para 72 lines 1-3]; 

Therefore, it would have been obvious for one of ordinary skill in the art at the time of the 
applicant’s invention to include, “wherein, the authentication server includes (i) a first unit that 
acquires, from the connection server, an address of the connection server and” and “(ii) a first 
retention unit that stores the address of the connection server and the encrypted user 
identification information which are acquired by the first unit” and “the connection server 
includes a second retention unit that stores unique information which is unique to the client 
apparatus and the user identification information” and “the client apparatus includes a third 
retention unit that stores an address of the authentication server, first information and second 
information” and “the access processing comprising: requesting a user to enter user identification 
information” and “receiving user identification information from the user” and “generating 
unique information which is unique to the client apparatus in response to receiving the user 
identification information” and “judging whether the decrypted first and second information are 
correct” and “wherein the first information is generated by the connection server by encrypting 
predetermined information with the unique information as a key” and “the second information is 
generated by the connection server by encrypting predetermined information with the user 
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identification information as a key” and “decrypting the first information stored in the third 
retention unit by using the generated unique information as a key” and “decrypting the second 
information stored in the third retention unit by using the received user identification information 
as a key,” in the invention as disclosed by Lander for the purposes of providing authentication 
based on multiple parts of information (i.e. address information, user identity, etc) while utilizing 
multiple encryption steps for improved security. 

Response to Arguments 

12. Applicant's arguments with respect to claims 1-3, 5-7, 10, & 13-18 have been considered 
but are moot in view of the new ground(s) of rejection as necessitated by the applicant’s 
amendments. 

1 3 . Applicant’ s arguments, see pages 17-21, filed 09/09/2008, with respect to the rej ection(s) 
of claim(s) 9, 1 1, & 12 under 35 U.S.C. 102(e) and 35 U.S.C. 103(a) have been fully considered 
and are persuasive. Therefore, the rejection has been withdrawn. However, upon further 
consideration, a new ground(s) of rejection is made in view of a different interpretation of the 
previously applied reference and in view of newly found prior art references. 


Conclusion 

14. The prior art made of record and not relied upon is considered pertinent to the applicant’s 


disclosure. 
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a. Henry et al (US-697 1005-Bl and US-7069433-B1) - virtual single account client 
[covers some similar aspects with respect to the protection of remote access and 
generation of encryption information (i.e. key)] 
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